Hi, I have a RH7.2 machine that has had everything that's not being used shut off from day one:
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on (xxx.xxx.xxx.xxx): (The 1543 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https 3306/tcp open mysql 10000/tcp open snet-sensor-mgmt (Port 10000 is the Webmin package which uses https.) But last night I got this in /var/log/messages: Feb 12 20:00:37 xxx sshd(pam_unix)[18540]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72.153.69 user=xxxxxxxxxx Feb 12 20:00:55 xxx sshd(pam_unix)[18540]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72 .153.69 user=xxxxxxxxxx Where the user in question was a user that was being used to ssh into this machine remotely, and the IP traces back to a Venezualean ISP. So somehow s/he got the username. Has anyone seen anything like this before? BTW I require ssh v2 connections. I've read a little here and there about "monkey in the middle" attacks on ssh, but don't you have to be on the same subnet? ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
